FIG Top 5 at 5 - 22/06/2023

1. Central Bank of Ireland Intermediary Times – June 2023

On 16 June 2023, the Central Bank of Ireland ("Central Bank") published the latest edition of its "Intermediary Times" newsletter, a twice yearly publication by the Retail Intermediaries supervision team of the Central Bank's Consumer Protection Directorate.

The newsletter covers topics of interest, new items on the Central Bank's website and regulatory issues that retail intermediary firms need to be aware of. Topics of note for firms in this edition include:

1. What’s New:

• EIOPA supervisory statement on the use of governance arrangements in third countries – February 2023: The European Insurance and Occupational Pensions Authority ("EIOPA") published a supervisory statement to ensure appropriate supervision of the compliance of insurance undertakings’ and intermediaries’ activities in relation to their governance arrangements in third countries. The Central Bank has confirmed that EIOPA and National Competent Authorities including the Central Bank will be closely monitoring market developments regarding the use of third country governance arrangements.

• Changes to the Central Bank Portal: Later this year regulatory returns will only be accessible via the Central Bank's Portal and the Central bank therefore requests that any firms that have not yet linked their current Online Reporting ("ONR") accounts to their Portal accounts should do so in advance of this change.

• European Commission Retail Investment Strategy: As reported in the FIG Top 5 at 5 of 1 June 2023, the European Commission ("Commission") adopted a retail investment package on 24 May 2023 which aims to "empower retail investors to make investment decisions that are aligned with their needs and preferences, ensuring that they are treated fairly and duly protected". The Central Bank notes its expectation that all retail intermediaries providing investment services will be cognisant of the strategy and the potential significant impact on investor protection requirements.

2. Information on Mortgage Intermediary Renewals: All firms authorised as a mortgage intermediary under the Consumer Credit Act 1995 prior to 2017 are required to apply for a new authorisation under the European Union (Consumer Mortgage Credit Agreements) Regulations 2016 ("CMCAR"), before their current authorisation expires as most firms authorised pre-2017 were granted an authorisation for a fixed period of 10 years. New CMCAR authorisations do not have a limited time period.

3. Updates on the Fitness and Probity ("F&P") requirements for Pre-Approval Controlled Function ("PCFs") appointments: The Central Bank notes that the Intermediary Times edition of June 2022 provided information on the F&P assessment and common issues that arise during the application process and notes that firms intending to apply for authorisation as an intermediary should review this information to avoid the common issues identified.

4. Changes to the F&P application process: As reported in the FIG Top 5 at 5 of 9 March 2023, the Central Bank's Portal has been updated to facilitate the submission of  PCF applications. As reported in the FIG Top 5 at 5 of 6 April 2023, the Central Bank has also published a new Information Questionnaire ("IQ") and an accompanying draft guidance document on F&P IQ applications which provides guidance for firms in relation to submitting IQs for PCF applicants through the Central Bank's Portal. The Central Bank emphasises that all individuals who are involved in the submission of an IQ should familiarise themselves with the new IQ process.

5. ESMA public statement on risks from unregulated products

On 25 May 2023, the European Securities and Markets Authority ("ESMA") issued a public statement highlighting the risks arising from the provision of unregulated products and services by investment firms.

The Central Bank notes that ESMA's public statement reiterates many of the expectations set out in the Central Bank's Dear CEO letter of June 2020. The Central Bank notes that while the expectations of the Dear CEO letter and the ESMA statement are focused on the investment sector, they are equally applicable to retail intermediaries.

ESMA's statement notes that when providing unregulated products firms should:

• take all necessary measures to ensure that consumers are fully aware of the regulatory status of their product/service;
• ensure terminology used does not imply that the product and/or service is regulated or protected where this is not the case;
• clearly disclose to clients when regulatory protections (including investor compensation schemes) do not apply to the product or service provided;
• ensure that the investment firm’s regulatory status is not used as a promotional tool; and
• ensure information on the firm’s website related to unregulated activities is clearly distinguished from regulated activities.

The Central Bank expects that:

• firms will clearly and effectively distinguish unregulated products or services from their regulated business;
• firms will read the ESMA statement in conjunction with the Central Bank’s Dear CEO letter and will review their arrangements, processes and disclosures to ensure that they meet the expectations specified;
• firms will make the necessary adjustments to ensure they are mitigating risks to consumers if offering unregulated products and services; and
• retail intermediaries will consider their Professional Indemnity Insurance cover, and whether or not this insurance covers unregulated activities. This should be clearly disclosed to consumers prior to offering an unregulated product or service.

In addition, the Central Bank is considering the input received to the Discussion Paper on the review of the Consumer Protection Code regarding the Central Bank's concerns regarding the potential ‘halo effect’ of regulated firms providing unregulated products or services.

6. Key Consumer Risks in the Retail Intermediary sector: As reported in the FIG Top 5 at 5 of 16 March 2023, the Central Bank published its Consumer Protection Outlook Report for 2023 on 13 March 2023 which provides details of the key risk for consumers in Ireland. The Central Bank notes that these risks are particularly relevant to the retail intermediary sector and expects retail intermediaries to consider and assess these risks in the context of their own business activities, and make changes where necessary to ensure they are acting in the best interests of consumers.

In addition to the Consumer Protection Outlook Report, the Central Bank has developed a multi­year Retail Intermediary Sectoral Strategy. The three key risk areas for the sector are:

• risk that the sector may not always meet consumer’ needs, including where firms do not have adequate practices and/or processes;
• commissions and ineffective disclosures; and
• changing operational landscape.

As part of this strategy, the Central Bank will undertake a thematic inspection in H2 2023  focusing on firms’ practices and standards, and a review of firms’ compliance with the Minimum Competency Code and know your client and suitability provisions in the Consumer Protection Code. The Central Bank has advised that firms will be given sufficient notice where required to make submissions or prepare for onsite visits.

7. Structured Retail Products: As reported in the FIG Top 5 at 5 of 9 March 2023, the Central Bank published, on 3 March 2023, updated guidance for MiFID investment firms in relation to the sale and marketing of Structured Retail Products ("SRPs"). The Central Bank highlights that this guidance is directly applicable to retail intermediaries as a key distribution channel for SRPs. The Central Bank notes its expectation that where SRPs are sold to investors, they are sold with proper investment advice, including an assessment of the client’s individual circumstances and a determination on whether the product is suitable for them. Retail intermediaries selling complex investment products must fully understand the products and risks, to enable them to provide quality, suitable advice that is in consumers’ best interests.

8. Annual Returns: The Central Bank reminds retail intermediaries of their obligation to submit an annual return to the Central Bank no later than six months after their financial year-end. This must be submitted via the ONR, which from Q4 will only be available via the Central Bank's Portal. Failure to submit an annual return may result in the Central Bank taking supervisory or enforcement action.

9. Anti-Money Laundering and Countering the Financing of Terrorism ("AML/CFT") Risk Evaluation Questionnaire ("REQ"): The Central Bank has advised that it will be requesting a sample of the retail intermediary sector to submit an REQ as part of its 2023 AML/CFT supervisory programme. Firms selected for this sample will be contacted directly by the Central Bank. The Central Bank also reminds retail intermediaries of their obligation to comply with the AML/CFT requirements and notes that firms found in breach will be required to undertake remediation action.   

2. Central Bank of Ireland thematic assessment on Embedding an effective conduct-focused culture in wholesale market firms

On 15 June 2023, the Central Bank of Ireland ("Central Bank") published a thematic assessment entitled, 'Thematic assessment Embedding an effective conduct-focused culture in wholesale market firms', analysing the approach taken by Boards and senior management to foster and embed an effective conduct-focused culture. The assessment involved an analysis of the conduct risk management frameworks of a cohort of cross sector firms engaged in MiFID activities, including investment firms, broker-dealers and fund service providers.

The Central Bank noted that there is "broad recognition of the importance of an effective conduct-focused culture with each firm having implemented various different measures to set the tone of their desired firm culture within their organisation" and commended some good practices within the firms assessed. However, it highlighted that firms need to do more to ensure that the desired effective conduct-focused culture is effectively instilled into their day to day operations, supporting governance frameworks, and control frameworks. 

Conduct-focused culture

Effective conduct-focused culture was defined in the report as "a culture that is underpinned by an effective conduct risk management framework which seeks to mitigate the market conduct risks to which a firm is exposed". It is the Central Bank's belief that having such a culture, will minimise the risks of misconduct and governance failures from crystallising.

Leadership and decision-making - "Setting the tone from the top"

The Central Bank made clear that it was not their role to prescribe a one-size fits all culture for all firms to implement, rather, the responsibility of setting the firms' culture lies with the Board and senior management. The onus for implementing the desire culture, however, the Central Bank stressed, lies with all members of management. On this point, it found that firms have made positive efforts to communicate their desired culture. The Central Bank commended the use of Board-approved culture strategies to promulgate the firm's desired culture. However, shortcomings were identified among some firms, with regard to the lack of defined implementation plans or proactive monitoring of the efforts to embed the culture within the firm.

The Central Bank expects the Board and senior management to support the embedding of the firms' desired culture and to consider how they can be assured that the culture is being instilled effectively throughout the firm by, among other obligations, questioning whether strategic decisions align with the culture of the firm. Individually, members of the Board and senior management are required to consider how they can 'set the tone' and must ensure that they make efforts themselves to support and permeate an effective conduct-focused culture within the firm. The Central Bank also called on independent non-executive directors ("INEDs") to challenge the firm's prevailing culture and to critically evaluate the strategic direction of the firm.

The Central Bank notes that Boards and senior management should consider: 

• how they can get assurance that the Board’s desired culture is being effectively delivered throughout the firm;
• individually, how they can set the ‘tone from the top’ and support and embed an effective conduct-focused culture; and
• how the governance framework for the discussion, assessment and consideration of decisions aligns with the firm’s culture and values (e.g. Boards should challenge senior management conclusions where necessary and be assured that strategic decisions align with the desired culture).

Governance structures

The assessment found that most firms have implemented governance frameworks that mandate Board responsibility for the oversight of market conduct risk, which many include delegated responsibilities for the oversight of market conduct risk to Board sub-committees and defined reporting lines and escalation channels for conduct risk issues.

The Central Bank highlighted its expectation that Boards and senior management take "active ownership of the governance of market conduct risk" which includes ensuring the firm has effective frameworks in place for the identification and management of market conduct risk.

Identification, assessment and monitoring of Conduct Risk and Culture

The Central Bank observed a number of deficiencies in the practices of the assessed firms with regard to management information ("MI")  and reporting, including:

• limited reporting to the Board;
• MI and reporting not provided in a timely manner; and
• with regard to global firms, an overall lack of entity specific MI.

The Central Bank stressed that Boards and senior management should be "proactive and ensure they are provided with appropriate, timely MI and reporting" to allow for appropriate challenge and oversight of market conduct risk. In addition, the Central Bank reiterated the importance of considering both quantitative and qualitative metrics, such as acting in clients’ best interests or complying with appropriate conduct practices, when determining remuneration decisions as set out in the Securities Markets Risk Outlook Report 2023 published earlier this year as reported in the FIG Top 5 at 5 of 9 March 2023.

Responsibilities and Expected Behaviours

It was observed that a number of firms were unable to show how the Board and senior management consistently communicate and reinforce expected behaviours to staff throughout the organisation. Furthermore, deficiencies remain among firms' practices in respect of determining remuneration and individual performance management outcomes. For example, 60% of firms assessed could not evidence a direct correlation between individual performance and staff remuneration.  Moreover, the Central Bank recommended that firms should consider changing their stance on error-management prevention, to regarding errors as opportunities for improvement and to communicate learnings to staff to promote an effective conduct-focused culture.

Speak-up culture and Disclosure Policies

The Central Bank stressed that  improvements are required across the board, in relation to the depth, quality and local relevance of firms’ protected disclosure policies and reminded firms that they are required to comply with the Protected Disclosures (Amendment) Act 2022 . Most notably, they observed a lack of clear information within protected disclosure policies regarding the obligations of individuals performing in a Pre-approval Control Function ("PCF") to disclose certain information to the Central Bank as per the Central Bank Supervision & Enforcement Act 2013. However, some firms were praised for the use of anonymous staff surveys on how safe staff feel to speak up and the methods they can use to do so. Firms are expected by the Central Bank to have clear disclosure policies and mechanisms for raising concerns in operation. Furthermore, Boards ought to promulgate a culture where staff feel safe to speak up.

Hybrid-working

The Central Bank reminded firms with a hybrid-working model that they are expected to conduct regular governance reviews and ensure that there are sufficient control frameworks in place to meet their regulatory obligations. Although, they observed some good practices in this area, the Central Bank found in some instances, that there was an absence of formalised policies and procedures in relation to hybrid-working. The Central Bank also noted that of the firms assessed, there was poor comprehension and recognition of particular conduct risks associated with hybrid-working.

The Central Bank noted its expectation that Boards and senior management consider:

• what measures, if any, can be implemented to ensure defined culture, values and expected behaviours are being adhered to in a hybrid-working environment; and
• how effectively their market conduct risk management framework mitigates the particular conduct risks arising from hybrid-working arrangements.

The Central Bank also reminded firms of its expectation that firms operating a hybrid-working model put in place sufficient arrangements to ensure they can continue to meet their regulatory obligations.

Next Steps

The Central Bank made clear in the report that they remain committed to delivering on their mission to serve the public interest by maintaining monetary and financial stability and working to ensure that the financial system operates in the best interest of consumers and the wider economy.  They aim to serve this aim, by among other things, safeguarding the market through supervising, monitoring, and imposing high standards on securities markets. To this end, the Central Bank expects firms to be "guided in all their activities by a commitment of a culture of high standards for conduct and market integrity". 

3. Sustainable Finance Package

On 13 June 2023, the European Commission (the "Commission") published a new package of measures to build on and strengthen the EU sustainable finance framework (the "Package"). 

The Package aims to:

• ensure that the EU sustainable finance framework continues to support companies and the financial sector, while encouraging the private funding of transition projects and technologies;
• ensure that the sustainable finance framework works for companies that want to invest in their transition to sustainability; and
• make the sustainable finance framework easier to use.

EU Taxonomy Delegated Acts

The Commission has:

approved in principle a new set of EU Taxonomy criteria for economic activities making a substantial contribution to one or more of the non-climate environmental objectives:

1. sustainable use and protection of water and marine resources;
2. transition to a circular economy;
3. pollution prevention and control; and
4. protection and restoration of biodiversity and ecosystems.

• adopted targeted amendments to the EU Taxonomy Climate Delegated Act, which expand on economic activities contributing to climate change mitigation and adaptation; and
• adopted amendments to the EU Taxonomy Disclosures Delegated Act, to clarify the disclosure obligations for the additional activities.

Next steps

Once the EU Taxonomy Delegated Acts are available in all EU official languages they will be adopted and transmitted to the European Parliament ("Parliament") and the Council of the EU ("Council") for scrutiny. The EU Taxonomy Delegated Acts are expected to apply as of January 2024.

Proposal for a regulation on the transparency of Environmental, Social and Governance ("ESG") ratings providers

The Commission has also proposed a Regulation on the transparency and integrity of ESG rating activities to improve the reliability and transparency of ESG ratings activities. Among other things, the proposed Regulation would:

• introduce new organisational principles and clear rules on the prevention of conflicts of interest; and
• require that ESG rating providers offering services to investors and companies in the EU be authorised and supervised by the European Securities and Markets Authority ("ESMA").

Next steps

The Commission will now engage in discussions with the Parliament and Council on the proposed Regulation.

Additional documents

In addition to the legislative proposals the Commission published a number of related documents to support the proposals:

• Recommendation on transition finance: The Commission has also published a draft recommendation on facilitating finance for the transition to a sustainable economy. The Commission's recommendation aims to provide guidance and practical examples for companies and the financial sector on how they can voluntarily use the EU's sustainable finance framework to raise, provide or approach transition finance. The recommendation's objective is to facilitate transition finance both for companies that have strong sustainability records and also for companies at different starting points that have "credible plans or targets to improve their sustainability performance".
• Communication on a sustainable finance framework that works on the ground: The Commission  has published a communication on the sustainable finance framework which outlines the detail of the sustainable finance package and next steps including a public consultation assessing the Sustainable Finance Disclosure Regulation ("SFDR") which will be launched in autumn 2023.
• Staff working document on enhancing the usability of the EU Taxonomy and the overall EU sustainable finance: A Commission  staff working document on enhancing the usability of the EU taxonomy and the overall EU sustainable finance framework accompanies the communication on a sustainable finance framework that works on the ground. It provides an overview of the key pillars of the framework now in place and details recently adopted usability measures.
• Commission notice on the interpretation and implementation of certain legal provisions of the EU Taxonomy Regulation and links to the SFDR:  On 12 June 2023, the Commission published a notice on the interpretation and implementation of certain legal provisions of the EU Taxonomy Regulation and links to the SFDR which contains FAQs relating to the Taxonomy Regulation and SFDR. The notice aims to provide some clarifications on how operators should consider the requirements for compliance with minimum safeguards under Article 18 of the Taxonomy Regulation and to clarify the status of investments in Taxonomy-aligned economic activities and assets under the SFDR.

4. European Supervisory Authorities Updates – Annual Reports and consultation on the first batch of DORA policy products

Publication of Annual Reports by European Supervisory Authorities

In June 2023, the European Supervisory Authorities, the European Securities and Market Authority ("ESMA"), the European Insurance and Occupational Pensions Authority ("EIOPA") and the European Banking Authority ("EBA"), issued their annual reports, listing their achievements for 2022 and detailing their plans and upcoming developments for 2023.

ESMA Annual Report

On 15 June 2023, ESMA published its annual report for 2022 - ‘ESMA in 2022 Focus on financial stability and investor protection’, detailing the achievements of the ESMA  during what they coined a “transformative” year including:

• the development of the ESMA’s 2023-2028 strategy;
• peer reviews on the supervision of cross-border services, on prospectus and on the Brexit relocation process;
• targeted responses to the geopolitical challenges of the Russian invasion of Ukraine and the resulting energy crisis;
• from a supervisory perspective, ESMA made its first recommendation to a national competent authority ("NCA") under Article 16 of the ESMA Regulation, following the Peer review on the supervision of crossborder activities of investment firms, and took several Common Supervisory Actions; and
• the first ever mystery shopping exercise carried out in conjunction with ten NCAs.

ESMA notes it had three cross cutting priorities for 2022 (1) supporting the development of sound capital markets; (2) promoting sustainable finance and innovation; and (3) fostering innovation and digitalisation. Achievements under these priorities include:

• technical input on investor protection aspects of the MiFID II/MiFIR review and the proposed Listing Act;
• a three-year sustainable finance roadmap;
• call for evidence on greenwashing, analysis of ESG disclosures in CRA press releases and a consultation on guidelines on ESG terms used in funds names;
• a warning to investors about the risks of crypto-assets; and 
• call for evidence, a report and Q&As to support to the implementation of a distributed ledger technology pilot regime.

Next Steps

Verena Ross, Chair of the ESMA commented that the ESMA will direct its focus in the coming year to “intensifying our work in areas of topical importance across the whole ESMA remit, namely sustainable finance, technological innovation and the increased use of data”.

EIOPA Annual Report

On 14 June 2023, EIOPA issued their annual report for 2022 on their activities and achievements during the year.

EIOPA noted that the uncertainty in Europe due to the war in the Ukraine and the ensuing energy crisis, and the rise in inflation, impacted its approach to meeting its objectives.

Key activities included:

• the launch of its first Europe-wide dashboard on natural catastrophe insurance protection gaps;
• the publication of a supervisory statement on inflation, focusing on the effects of inflation on technical provisions, investments, and solvency capital requirements;
• the issue of its first Institutions for Occupational Retirement Provision test to gain insight into the effects of environmental risks on the European pension sector;
• tesponding to concerns regarding bancassurance transactions through the issue of warnings to insurance product manufacturers and banks acting as insurance distributors, to identify potential sources of product risk and consumer detriment; and
• regarding digital innovation, EIOPA furthered its' work in the areas of open insurance, the use of block chain and machine learning.

Next Steps

In 2023, EIOPA notes it will "continue to deliver effective supervision of and work to identify and mitigate risks in the insurance and pension sectors", so in turn, they may effectively deliver for policy-holders, beneficiaries, business, and overall, for the larger economy.

5. EBA Annual report

On 12 June 2023, the EBA published its annual report, setting out its actions and accomplishments for 2022. Echoing the sentiments of the above reports, EBA noted that their work took place against a background of “uncertainty” and “intensity” due to the aforementioned events, the Brexit “fallout” and interest rate volatility. Nevertheless, the EBA executed 95% of the tasks in their work programme, with François-Louis Michaud, EBA’s Executive Director citing the EBA’s use of banking and financial data and making it available to stakeholders in a variety of forms such as; an evidence-based rulebook, impact assessments and risk analyses, as one particular area where, the EBA’s made significant progress in 2022.

Next Steps

EBA’s strategic priorities for 2023 include;

• finalising the Basel III implementation in the EU which they deem “crucial to the resilience of the banking sector”;
• working on digital finance and delivering on the Markets in Crypto-Assets Regulation ("MiCA") and the Digital Operational Resilience Act ("DORA") mandates, which they believe will protect investors and preserve financial stability in these times of uncertainty;
• enhancing capacity to fight money laundering and the financing of terrorism in the EU including establishing the new Establishing a new Anti-Money Laundering Authority (AMLA) and the new AML/CFT mandates under the Transfer of Funds Regulation;  and
• executing the Environmental, Social and Governance ("ESG") roadmap including continuing its work on incorporating ESG considerations into the prudential framework; addressing greenwashing; green retail loans and mortgages; further guidelines for ESG risks management; and quantifying ESG risks.

The report also notes that the EBA awaits the results of the EU-wide stress test conducted by the EBA. The results are due for publication at the end of July 2023.

ESAs consultation on the first batch of DORA policy products

On 19 June 2023, the European Supervisory Authorities, the European Securities and Market Authority ("ESMA"), the European Insurance and Occupational Pensions Authority ("EIOPA"), and the European Banking Authority ("EBA") together the ("ESAs"), published a  public consultation on the first batch of policy products under the Digital Operational Resilience Act ("DORA").

DORA entered into force on 16 January 2023 and will apply from 17 January 2025. DORA creates a regulatory framework on digital operational resilience whereby all EU financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch under consultation includes four sets of draft regulatory technical standards ("RTS") and one set of draft implementing technical standards ("ITS") for consultation:

• RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
• RTS on criteria for the classification of ICT-related incidents;
• ITS to establish the templates for the register of information;
• RTS to specify the policy on ICT services performed by ICT third-party providers.

The ESA's note that the technical standards aim to "ensure a consistent and harmonised legal framework in the areas of ICT risk management, major ICT-related incident reporting and ICT third-party risk management". The ESAs have also published an Introductory note on the draft technical standards which includes further information.

Next Steps

The consultation is open for feedback until 11 September 2023. The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024. 

EBA Updates on Crowdfunding and ML/TF Risks in the Payments Sector

EBA Opinion in response to the European Commission’s proposed amendments to the draft technical standards on crowdfunding service providers

On 14 June 2023, the European Banking Authority ("EBA") published an Opinion on the amendments proposed by the European Commission (the "Commission") to the EBA final draft Regulatory Technical Standards ("RTS") on requirements on credit scoring of crowdfunding projects, pricing of crowdfunding offers, and risk management policies and procedures.

Background

On 10 May 2022, the EBA submitted its final draft RTS and on 2 May 2023, the Commission sent a letter to the EBA about its intention to endorse the RTS with amendments and submitted a modified version of the RTS. 

Opinion

The EBA highlights that the Commission’s amended version of the RTS, includes one substantive change, regarding the treatment of personal data included in the documentation related to the creditworthiness assessment of perspective project owners.

In the draft RTS submitted by the EBA, it is proposed that crowdfunding service providers shall document decisions on the assessment of creditworthiness of project owners and shall keep that documentation “for at least 5 years after the repayment of the final instalment of the loan”. The amendment now requires that personal data included in that documentation shall be kept for a limited period of time (no longer than five years) after the repayment of the final instalment of the loan. This change was made following comments received from the European Data Protection Supervisor.

The EBA's Opinion in accepting the proposed amendment recognises the importance of treating personal data in accordance with the “storage limitation” principle under the General Data Protection Regulation and notes that this change does not prejudice "the specific objective in the RTS of ensuring that crowdfunding providers can access historical data for the purpose of improving the assessment of creditworthiness and the performance of their scoring models".

EBA Report on ML/TF Risks associated with Payment Institutions

On 16 June 2023, the European Banking Authority ("EBA") published its Report on money laundering and terrorist financing ("ML/TF") risks associated with payment institutions following its 2022 assessment of ML/TF  risks in the payment institutions sector.

The EBA notes that the objective of the assessment was to better understand:

5. the scale and nature of the ML/TF risks in the payment institutions sector;

6. the extent to which payment institutions’ anti-money laundering and countering the financing of terrorism ("AML/CFT systems and controls are adequate and effective in tackling those risks; and

7. the effectiveness of current supervisory approaches to tackling ML/TF risk in payment institutions.

The Report's findings overall suggest that "ML/TF risks in the payment institutions sector may not be assessed and managed effectively", in particular:

• supervisors across the Europe consider that the payment institutions sector represents high inherent ML/TF risks and that the systems and controls payment institutions put in place to mitigate those risks are not always effective;
• not all supervisors base the frequency and intensity of on-site and off-site supervision on the ML/TF risk profile of individual payment institutions, and on the ML/TF risks in that sector;
• as supervisory practices at authorisation vary significantly, payment institutions with weak AML/CFT controls may establish themselves in member states where the authorisation process is perceived as less stringent to passport their activities cross-border afterwards; and
• there is no EU-level common approach to the AML/CFT supervision of agent networks, or the AML/CFT supervision of payment institutions with widespread agent networks. The use of agents by payment institutions carries a significant inherent ML/TF risk, especially in a cross-border context.

Next steps

The Report's findings will feed into the EBA's bi-annual ML/TF risk assessment exercise. The EBA highlights that some recently emerged risks (e.g. virtual IBANs or white labelling) will need further assessment. Other risks will require changes to the EU legal framework, for example:

• establishing a more consistent approach to assessing AML/CFT in the authorisation of payment institutions;
• reinforcing the consideration of ML/TF risks in the process of passporting notifications and ultimately establishing clear and coherently interpreted provisions for objection, on ML/TF risk grounds, in the passporting context; and
• taking steps towards a more consistent treatment of agents of payment institutions in a cross-border context, including a more coherent approach to the AML/CFT supervision of such agents across Europe.